Welcome back, aspiring Digital Forensics Investigators! For decades, the open-source Wireshark network protocol analyzer has been an essential tool for networking professionals, enabling them to inspect and troubleshoot network traffic through packet analysis. However, as organizations have increasingly shifted workloads to the cloud, they’ve struggled with reduced visibility into system activity. To address this gap, […]

The post Network Forensics: Getting Started With Stratoshark first appeared on Hackers Arise.

Welcome back, aspiring Digital Forensics Investigators!

For decades, the open-source Wireshark network protocol analyzer has been an essential tool for networking professionals, enabling them to inspect and troubleshoot network traffic through packet analysis. However, as organizations have increasingly shifted workloads to the cloud, they’ve struggled with reduced visibility into system activity. To address this gap, Stratoshark was introduced.

What is Stratoshark?

Stratoshark is a companion application to Wireshark, designed to analyze system calls and log messages from SCAP files, providing deeper insights into system-level activity. Since modern cloud systems primarily use Linux for running applications in containers, Stratoshark helps users troubleshoot, secure, and monitor their systems by capturing system activity directly from the Linux kernel.

Just as Wireshark helps network teams analyze packet data from PCAP files, Stratoshark records and interprets system activity using libsinsp and libscap libraries, creating .scap files for detailed analysis.

• libsinsp is a system event processing library that allows Stratoshark to analyze system calls in real time, offering insights into how processes interact with the operating system.





• libscap is responsible for capturing system calls and audit logs directly from the Linux kernel, functioning as the data collection engine behind Stratoshark. It enables users to record detailed system activity for later examination.

Stratoshark extends beyond system calls to enhance cloud security monitoring. It can collect cloud audit logs using libscap, the same library used by Sysdig (a security and monitoring tool) and Falco (a runtime security tool for detecting threats). With the Falco CloudTrail plugin, Stratoshark retrieves AWS CloudTrail logs from S3, SQS, or SNS, helping security teams detect and analyze potential threats in cloud environments.

What are System Calls?

On a computer, you have various applications, such as web browsers, email clients, music players, and word processors—along with anything else you’ve installed. These applications often need to interact with external resources: web browsers require network access, music players need sound devices, etc. However, these applications don’t inherently know how to handle these interactions by themselves.

The operating system (OS) manages these interactions. It distinguishes between different connection types like WiFi and Ethernet, or storage devices like NVMe and SATA drives. More importantly, it abstracts these differences away so applications don’t need to worry about the underlying hardware details.

To facilitate this, the OS provides a standard set of functions that applications use to interact with external devices. These functions are typically straightforward, such as read(), write(), socket(), and sendmsg(). Together, they form what we call system calls. By monitoring these system calls, we can observe everything a program attempts to do—from network communications and file access to sound playback and much more.

How Can We Capture System Calls?

You can generate SCAP files using the sysdig command-line tool or by running Stratoshark directly on a Linux system.

Stratoshark supports multiple capture sources, including:

• Falcodump – Captures logs from various sources using Falco plugins and Linux syscalls.





• Sshdig – Enables remote system call capture over SSH using Sysdig.

Key Features of Stratoshark

Stratoshark offers several powerful features that make it an essential tool for system-level analysis:

1. Real-time System Activity Monitoring: Track and analyze system calls as they happen.





2. Comprehensive Filtering Options: Quickly isolate relevant system events using display filters.





3. Cloud Integration: Native support for analyzing cloud audit logs.





4. Visualization Tools: Transform complex system call sequences into understandable visualizations.





5. Container Visibility: Gain insights into containerized applications and their interactions.





6. Threat Detection: Identify suspicious activity patterns through system call analysis.

Similar to Wireshark’s color-coding for packet types, Stratoshark uses visual indicators to help analysts quickly identify different types of system calls and potential security issues.

Stratoshark vs. Wireshark: Understanding the Differences

While Stratoshark and Wireshark share similar interfaces and analysis approaches, they focus on different aspects of system observation:

Feature	Stratoshark	Wireshark
Primary Focus	System calls and OS interactions	Network packets and protocols
File Format	SCAP files	PCAP files
Main Use Cases	System troubleshooting, security monitoring, container analysis	Network troubleshooting, protocol analysis, traffic inspection
Capture Mechanism	Kernel modules, eBPF probes	Network interfaces, packet capture libraries
Environment	Particularly valuable in cloud and containerized systems	Network infrastructure (physical or virtual)
Analysis Level	OS and application behavior	Network communications

These tools complement each other perfectly – Wireshark reveals what’s happening on the network, while Stratoshark provides visibility into what’s occurring inside the systems themselves.

Getting Stratoshark

Development packages for Windows and macOS are available through Wireshark’s automated builds. Note that native system call capture isn’t supported on these platforms.

For Stratoshark on Linux, you’ll need to build it from source.

For simplicity and ease of learning, I’ll be using Windows 11, where the installation process is as straightforward as any standard Windows application.

First Look: Navigating the Stratoshark Interface

Initial Launch Experience

When you first launch Stratoshark after installation, you’ll be greeted by its main interface, which deliberately mirrors Wireshark’s familiar layout to make transitioning between tools seamless. The application features a clean, well-organized workspace specifically designed for efficient system call analysis.

Accessing Sample Captures

To start exploring Stratoshark’s capabilities without capturing your own data, head over to the official website wiki.wireshark.org/Stratoshark, where you’ll find several sample SCAP files specifically created for learning purposes.

Analyzing SCAP Files with Stratoshark

Upon opening a SCAP file in Stratoshark, you’ll immediately notice the interface resembles Wireshark. The key difference, however, lies in the event details pane (the Stratoshark equivalent to Wireshark’s packet details pane).

This pane features a specialized set of expandable headers specifically designed for system call analysis. The most valuable headers for your analysis include:

• System Event – works just like Wireshark’s “Frame” header
  
  
  
  • Arrival Time – exact timestamp when the event occurred
  
  
  
  





• Event Information – contains the most essential analysis data
  
  
  
  • Direction – right-facing caret (>) shows a call from application to OS (request), while left-facing caret (<) indicates the OS response
  
  
  
  
  
  • Type – shows which specific system call function is being invoked
  
  
  
  
  
  • Arguments – displays the request or response values when applicable, varying by function called
  
  
  
  





• Process Information – details about the process making or receiving the system call
  
  
  
  • Name – identifies the process name
  
  
  
  
  
  • Parent Name – shows which process spawned the current one (for example, in a system running Apache, you might see Name = kworker and Parent Name = apache)
  
  
  
  
  
  • Process ID – matches the PID you’d see in tools like netstat or top, making it easy to correlate with other data sources
  
  
  
  





• File Descriptor Information – when present, shows details about files the process is interacting with
  
  
  
  • FD Name – since Linux treats almost everything as a file, this includes network sockets and other system resources
  
  
  
  

Mastering these key components will help you effectively interpret system call data and extract valuable insights from your captures.

Summary

Stratoshark serves as a powerful companion to Wireshark, extending your digital forensic capabilities beyond network traffic analysis to system-level activity monitoring. By capturing and analyzing system calls directly from the Linux kernel, Stratoshark delivers crucial visibility into process-OS interactions—particularly valuable in today’s cloud-based, containerized environments where traditional network monitoring often falls short.

The post Network Forensics: Getting Started With Stratoshark first appeared on Hackers Arise.

Source: HackersArise
Source Link: https://hackers-arise.com/network-forensics-getting-started-with-stratoshark/